Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2021-05-10 15:38:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2988 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Mon May 10 15:38:45 2021 rev:17 rq:891851 version:2.4.8.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2021-04-12 12:40:25.621582878 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2988/apache2-mod_auth_openidc.changes
2021-05-10 15:41:18.657102448 +0200
@@ -1,0 +2,17 @@
+Fri May 7 17:38:51 UTC 2021 - Michael Str??der <mich...@stroeder.com>
+
+- Update to version 2.4.8.1
+ * Bugfixes
+ - fix potential crash when the Content-Type header is not set in POST
requests
+ - avoid jwt/proto_state json_object memory leaks on cache failures
+ - when an OAuth 2.0 RS token scope/claim authorization (401 ) error
+ occurs, add a OIDC_OAUTH_BEARER_SCOPE_ERROR environment variable for
+ usage with mod_headers, instead of adding a header ourselves; see #572
+ * Features
+ - add options to configure Redis connectivity timeouts with
+ OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout
+ - add OIDCClientTokenEndpointKeyPassword option to set a private key
+ password for the client's private key to be used against the token
+ endpoint; see #576
+
+-------------------------------------------------------------------
Old:
----
mod_auth_openidc-2.4.7.tar.gz
New:
----
mod_auth_openidc-2.4.8.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.hNyEFG/_old 2021-05-10 15:41:19.097100727 +0200
+++ /var/tmp/diff_new_pack.hNyEFG/_new 2021-05-10 15:41:19.101100711 +0200
@@ -17,7 +17,7 @@
Name: apache2-mod_auth_openidc
-Version: 2.4.7
+Version: 2.4.8.1
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ mod_auth_openidc-2.4.7.tar.gz -> mod_auth_openidc-2.4.8.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/AUTHORS
new/mod_auth_openidc-2.4.8.1/AUTHORS
--- old/mod_auth_openidc-2.4.7/AUTHORS 2021-04-01 21:49:05.000000000 +0200
+++ new/mod_auth_openidc-2.4.8.1/AUTHORS 2021-05-07 15:06:37.000000000
+0200
@@ -68,3 +68,5 @@
Chris Pawling <https://github.com/chris468>
Matthias Flesch??tz <https://github.com/blindzero>
Harri Rautila <https://github.com/hrautila>
+ Tatsuhiko Yasumatsu
+ Adam Stadler <https://github.com/tzfx>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/ChangeLog
new/mod_auth_openidc-2.4.8.1/ChangeLog
--- old/mod_auth_openidc-2.4.7/ChangeLog 2021-04-05 15:59:05.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/ChangeLog 2021-05-07 15:06:52.000000000
+0200
@@ -1,3 +1,25 @@
+05/07/2021
+- add OIDCClientTokenEndpointKeyPassword option to allow the use of an
encrypted private key
+- release 2.4.8.1
+
+04/30/2021
+- fix potential crash when Content-Type is not set in POST requests; thanks
Tatsuhiko Yasumatsu of JPCERT/CC
+- release 2.4.8
+
+04/21/2021
+- on OAuth 2.0 RS token scope/claim 401 error, add environment variable for
usage with mod_headers,
+ instead of adding a header ourselves; see #572; usage, e.g;
+ Header always append WWW-Authenticate %{OIDC_OAUTH_BEARER_SCOPE_ERROR}e
"expr=(%{REQUEST_STATUS} == 401) && (-n
reqenv('OIDC_OAUTH_BEARER_SCOPE_ERROR'))"
+- bump to 2.4.8-dev
+
+04/13/2021
+- add OIDCRedisCacheConnectTimeout and OIDCRedisCacheTimeout options to
configure Redis timeouts
+- bump to 2.4.7.2
+
+04/12/2021
+- fix memory leaks when caching fails
+- bump to 2.4.7.1
+
04/04/2021
- improve documentation on OIDCPreservePost
- release 2.4.7
@@ -102,6 +124,13 @@
- bump to 2.4.4.1
09/01/2020
+- forward port Tufin patches
+- always set session cookie same site policy to Lax
+- disable cookie domain check
+- unset host headers for metadata URL retrieval
+- bump to 2.4.4-tufin
+
+09/01/2020
- avoid GCC 9 compiler warnings
- release 2.4.4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/README.md
new/mod_auth_openidc-2.4.8.1/README.md
--- old/mod_auth_openidc-2.4.7/README.md 2021-03-31 14:24:36.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/README.md 2021-04-30 19:42:05.000000000
+0200
@@ -38,8 +38,6 @@
- [OpenID Connect Session Management
1.0](http://openid.net/specs/openid-connect-session-1_0.html) *(implementers
draft; see the
[Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management)
for information on how to configure it)*
- [OpenID Connect Front-Channel Logout
1.0](http://openid.net/specs/openid-connect-frontchannel-1_0.html)
*(implementers draft)*
- [OpenID Connect Back-Channel Logout
1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html)
*(implementers draft)*
-- [OpenID Connect Token Bound
Authentication](https://openid.net/specs/openid-connect-token-bound-authentication-1_0.html)
*(draft spec; when combined with
[mod_token_binding](https://github.com/zmartzone/mod_token_binding))*
-- [OAuth 2.0 Token Binding for Authorization Codes for Web Server
Clients](https://tools.ietf.org/html/draft-ietf-oauth-token-binding-07#section-5.2)
*(draft spec)*
For an exhaustive description of all configuration options, see the file
`auth_openidc.conf`
in this directory. This file can also serve as an include file for
`httpd.conf`.
@@ -48,13 +46,13 @@
-------
#### Community Support
-For generic questions, see the Wiki pages with Frequently Asked Questions at:
+For documentation, see the Wiki pages (including Frequently Asked Questions)
at:
[https://github.com/zmartzone/mod_auth_openidc/wiki](https://github.com/zmartzone/mod_auth_openidc/wiki)
-There is a Google Group/mailing list at:
-
[mod_auth_open...@googlegroups.com](mailto:mod_auth_open...@googlegroups.com)
-The corresponding forum/archive is at:
+For generic questions there is a Github Discussions forum at:
+
[https://github.com/zmartzone/mod_auth_openidc/discussions](https://github.com/zmartzone/mod_auth_openidc/discussions)
+There is a (now deprecated) Google Group/mailing list archive at:
[https://groups.google.com/forum/#!forum/mod_auth_openidc](https://groups.google.com/forum/#!forum/mod_auth_openidc)
-Any questions/issues should go to the mailing list.
+Any questions/issues should go to the Discussions forum.
#### Commercial Services
For commercial Support contracts, Professional Services, Training and use-case
specific support you can contact:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/auth_openidc.conf
new/mod_auth_openidc-2.4.8.1/auth_openidc.conf
--- old/mod_auth_openidc-2.4.7/auth_openidc.conf 2021-04-05
16:03:29.000000000 +0200
+++ new/mod_auth_openidc-2.4.8.1/auth_openidc.conf 2021-05-07
15:06:37.000000000 +0200
@@ -230,6 +230,14 @@
# NB: this can be overridden on a per-OP basis in the .conf file using the
key: token_endpoint_tls_client_key
#OIDCClientTokenEndpointKey <filename>
+# Password for the PEM-formatted private key that belongs to the client
certificate used to authenticate the
+# Client in calls to the token endpoint of the OAuth 2.0 Authorization server.
+# If the value begins with exec: the resulting command will be executed and the
+# first line returned to standard output by the program will be used as the
password.
+# The command may be absolute or relative to the web server root.
+# NB: this can be overridden on a per-OP basis in the .conf file using the
key: token_endpoint_tls_client_key_pwd
+#OIDCClientTokenEndpointKeyPassword [ <passphrase> |
"exec:/path/to/otherProgram arg1" ]
+
# The client name that the client registers in dynamic registration with the
OP.
# When not defined, no client name will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the
key: client_name
@@ -433,7 +441,7 @@
# Backrefrences must be in the form $1, $2.. etc.
# E.g. to extract username in the form DOMAIN\userid from e-mail style address
you may use
# ^(.*)@([^.]+)\..+$ $2\\$1
-#OIDCOAuthRemoteUserClaim <claim-name> [<regular-expression>]
+#OIDCOAuthRemoteUserClaim <claim-name> [<regular-expression>]
[substitution-string]
# Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to
this Resource Server.
# Must be one or several of:
@@ -629,6 +637,14 @@
# When not defined the default database 0 is used.
#OIDCRedisCacheDatabase <number>
+# Timeout for connecting to the Redis servers.
+# When not defined the default connect timeout is 5 seconds.
+#OIDCRedisCacheConnectTimeout <seconds>
+
+# Timeout waiting for a response of the Redis servers after a request was sent.
+# When not defined the default timeout is 5 seconds.
+#OIDCRedisCacheTimeout <seconds>
+
########################################################################################
#
# Advanced Settings
@@ -716,7 +732,7 @@
# Backrefrences must be in the form $1, $2.. etc.
# E.g. to extract username in the form DOMAIN\userid from e-mail style address
you may use
# ^(.*)@([^.]+)\..+$ $2\\$1
-#OIDCRemoteUserClaim <claim-name>[@] [<regular-expression>]
+#OIDCRemoteUserClaim <claim-name>[@] [<regular-expression>]
[substitution-string]
# Define the way(s) in which the id_token contents are passed to the
application according to OIDCPassClaimsAs.
# Must be one or several of:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/configure
new/mod_auth_openidc-2.4.8.1/configure
--- old/mod_auth_openidc-2.4.7/configure 2021-04-05 16:03:52.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/configure 2021-05-07 15:07:55.000000000
+0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.7.
+# Generated by GNU Autoconf 2.71 for mod_auth_openidc 2.4.8.1.
#
# Report bugs to <hans.zandb...@zmartzone.eu>.
#
@@ -610,8 +610,8 @@
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
-PACKAGE_VERSION='2.4.7'
-PACKAGE_STRING='mod_auth_openidc 2.4.7'
+PACKAGE_VERSION='2.4.8.1'
+PACKAGE_STRING='mod_auth_openidc 2.4.8.1'
PACKAGE_BUGREPORT='hans.zandb...@zmartzone.eu'
PACKAGE_URL=''
@@ -1301,7 +1301,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures mod_auth_openidc 2.4.7 to adapt to many kinds of
systems.
+\`configure' configures mod_auth_openidc 2.4.8.1 to adapt to many kinds of
systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1364,7 +1364,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of mod_auth_openidc 2.4.7:";;
+ short | recursive ) echo "Configuration of mod_auth_openidc 2.4.8.1:";;
esac
cat <<\_ACEOF
@@ -1478,7 +1478,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-mod_auth_openidc configure 2.4.7
+mod_auth_openidc configure 2.4.8.1
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1634,7 +1634,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by mod_auth_openidc $as_me 2.4.7, which was
+It was created by mod_auth_openidc $as_me 2.4.8.1, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -2292,7 +2292,7 @@
-NAMEVER=mod_auth_openidc-2.4.7
+NAMEVER=mod_auth_openidc-2.4.8.1
# This section defines the --with-apxs2 option.
@@ -4952,7 +4952,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by mod_auth_openidc $as_me 2.4.7, which was
+This file was extended by mod_auth_openidc $as_me 2.4.8.1, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -5007,7 +5007,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-mod_auth_openidc config.status 2.4.7
+mod_auth_openidc config.status 2.4.8.1
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/configure.ac
new/mod_auth_openidc-2.4.8.1/configure.ac
--- old/mod_auth_openidc-2.4.7/configure.ac 2021-04-05 15:58:33.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/configure.ac 2021-05-07 15:07:20.000000000
+0200
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.7],[hans.zandb...@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.8.1],[hans.zandb...@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/cache/redis.c
new/mod_auth_openidc-2.4.8.1/src/cache/redis.c
--- old/mod_auth_openidc-2.4.7/src/cache/redis.c 2021-04-01
21:49:53.000000000 +0200
+++ new/mod_auth_openidc-2.4.8.1/src/cache/redis.c 2021-05-03
19:36:20.000000000 +0200
@@ -64,9 +64,14 @@
apr_port_t port;
char *passwd;
int database;
+ struct timeval connect_timeout;
+ struct timeval timeout;
redisContext *ctx;
} oidc_cache_cfg_redis_t;
+#define REDIS_CONNECT_TIMEOUT_DEFAULT 5
+#define REDIS_TIMEOUT_DEFAULT 5
+
/* create the cache context */
static void *oidc_cache_redis_cfg_create(apr_pool_t *pool) {
oidc_cache_cfg_redis_t *context = apr_pcalloc(pool,
@@ -75,6 +80,10 @@
context->host_str = NULL;
context->passwd = NULL;
context->database = -1;
+ context->connect_timeout.tv_sec = REDIS_CONNECT_TIMEOUT_DEFAULT;
+ context->connect_timeout.tv_usec = 0;
+ context->timeout.tv_sec = REDIS_TIMEOUT_DEFAULT;
+ context->timeout.tv_usec = 0;
context->ctx = NULL;
return context;
}
@@ -128,6 +137,12 @@
if (cfg->cache_redis_database != -1)
context->database = cfg->cache_redis_database;
+ if (cfg->cache_redis_connect_timeout != -1)
+ context->connect_timeout.tv_sec =
cfg->cache_redis_connect_timeout;
+
+ if (cfg->cache_redis_timeout != -1)
+ context->timeout.tv_sec = cfg->cache_redis_timeout;
+
if (oidc_cache_mutex_post_config(s, context->mutex, "redis") == FALSE)
return HTTP_INTERNAL_SERVER_ERROR;
@@ -186,7 +201,8 @@
if (context->ctx == NULL) {
/* no connection, connect to the configured Redis server */
- context->ctx = redisConnect(context->host_str, context->port);
+ oidc_debug(r, "calling redisConnectWithTimeout");
+ context->ctx = redisConnectWithTimeout(context->host_str,
context->port, context->connect_timeout);
/* check for errors */
if ((context->ctx == NULL) || (context->ctx->err != 0)) {
@@ -233,6 +249,10 @@
/* free the database answer */
oidc_cache_redis_reply_free(&reply);
}
+
+ if (redisSetTimeout(context->ctx, context->timeout) !=
REDIS_OK)
+ oidc_error(r, "redisSetTimeout failed: %s",
context->ctx->errstr);
+
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/config.c
new/mod_auth_openidc-2.4.8.1/src/config.c
--- old/mod_auth_openidc-2.4.7/src/config.c 2021-04-03 20:06:43.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/src/config.c 2021-05-07 15:06:37.000000000
+0200
@@ -210,6 +210,7 @@
#define OIDCClientSecret "OIDCClientSecret"
#define OIDCClientTokenEndpointCert "OIDCClientTokenEndpointCert"
#define OIDCClientTokenEndpointKey "OIDCClientTokenEndpointKey"
+#define OIDCClientTokenEndpointKeyPassword
"OIDCClientTokenEndpointKeyPassword"
#define OIDCDefaultLoggedOutURL "OIDCDefaultLoggedOutURL"
#define OIDCCookieHTTPOnly "OIDCCookieHTTPOnly"
#define OIDCCookieSameSite "OIDCCookieSameSite"
@@ -248,6 +249,8 @@
#define OIDCCacheFileCleanInterval "OIDCCacheFileCleanInterval"
#define OIDCRedisCachePassword "OIDCRedisCachePassword"
#define OIDCRedisCacheDatabase "OIDCRedisCacheDatabase"
+#define OIDCRedisCacheConnectTimeout "OIDCRedisCacheConnectTimeout"
+#define OIDCRedisCacheTimeout "OIDCRedisCacheTimeout"
#define OIDCHTMLErrorTemplate "OIDCHTMLErrorTemplate"
#define OIDCDiscoverURL "OIDCDiscoverURL"
#define OIDCPassCookies "OIDCPassCookies"
@@ -1241,6 +1244,7 @@
provider->client_secret = NULL;
provider->token_endpoint_tls_client_cert = NULL;
provider->token_endpoint_tls_client_key = NULL;
+ provider->token_endpoint_tls_client_key_pwd = NULL;
provider->registration_endpoint_url = NULL;
provider->registration_endpoint_json = NULL;
provider->check_session_iframe = NULL;
@@ -1340,6 +1344,8 @@
c->cache_redis_server = NULL;
c->cache_redis_password = NULL;
c->cache_redis_database = -1;
+ c->cache_redis_connect_timeout = -1;
+ c->cache_redis_timeout = -1;
#endif
c->metadata_dir = NULL;
@@ -1465,6 +1471,10 @@
add->provider.token_endpoint_tls_client_key != NULL ?
add->provider.token_endpoint_tls_client_key :
base->provider.token_endpoint_tls_client_key;
+ c->provider.token_endpoint_tls_client_key_pwd =
+ add->provider.token_endpoint_tls_client_key_pwd != NULL ?
+ add->provider.token_endpoint_tls_client_key_pwd
:
+
base->provider.token_endpoint_tls_client_key_pwd;
c->provider.token_endpoint_tls_client_cert =
add->provider.token_endpoint_tls_client_cert != NULL ?
add->provider.token_endpoint_tls_client_cert :
@@ -1760,6 +1770,12 @@
c->cache_redis_database =
add->cache_redis_database != -1 ?
add->cache_redis_database :
base->cache_redis_database;
+ c->cache_redis_connect_timeout =
+ add->cache_redis_connect_timeout != -1 ?
+ add->cache_redis_connect_timeout :
base->cache_redis_connect_timeout;
+ c->cache_redis_timeout =
+ add->cache_redis_timeout != -1 ?
+ add->cache_redis_timeout :
base->cache_redis_timeout;
#endif
c->metadata_dir =
@@ -2950,7 +2966,11 @@
(void*)APR_OFFSETOF(oidc_cfg,
provider.token_endpoint_tls_client_key),
RSRC_CONF,
"TLS client certificate private key used for
calls to OpenID Connect OP token endpoint."),
-
+ AP_INIT_TAKE1(OIDCClientTokenEndpointKeyPassword,
+ oidc_set_passphrase_slot,
+ (void*)APR_OFFSETOF(oidc_cfg,
provider.token_endpoint_tls_client_key_pwd),
+ RSRC_CONF,
+ "TLS client certificate private key password
used for calls to OpenID Connect OP token endpoint."),
AP_INIT_TAKE1(OIDCRedirectURI,
oidc_set_relative_or_absolute_url_slot,
(void *)APR_OFFSETOF(oidc_cfg, redirect_uri),
@@ -3200,6 +3220,16 @@
(void*)APR_OFFSETOF(oidc_cfg,
cache_redis_database),
RSRC_CONF,
"Database for the Redis servers."),
+ AP_INIT_TAKE1(OIDCRedisCacheConnectTimeout,
+ oidc_set_int_slot,
+ (void*)APR_OFFSETOF(oidc_cfg,
cache_redis_connect_timeout),
+ RSRC_CONF,
+ "Timeout for connecting to the Redis servers."),
+ AP_INIT_TAKE1(OIDCRedisCacheTimeout,
+ oidc_set_int_slot,
+ (void*)APR_OFFSETOF(oidc_cfg,
cache_redis_timeout),
+ RSRC_CONF,
+ "Timeout waiting for a response of the Redis
servers."),
#endif
AP_INIT_TAKE1(OIDCHTMLErrorTemplate,
oidc_set_string_slot,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/metadata.c
new/mod_auth_openidc-2.4.8.1/src/metadata.c
--- old/mod_auth_openidc-2.4.7/src/metadata.c 2021-04-01 21:48:31.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/src/metadata.c 2021-05-07 15:06:37.000000000
+0200
@@ -119,6 +119,7 @@
#define OIDC_METADATA_USERINFO_REFRESH_INTERVAL
"userinfo_refresh_interval"
#define OIDC_METADATA_TOKEN_ENDPOINT_TLS_CLIENT_CERT
"token_endpoint_tls_client_cert"
#define OIDC_METADATA_TOKEN_ENDPOINT_TLS_CLIENT_KEY
"token_endpoint_tls_client_key"
+#define OIDC_METADATA_TOKEN_ENDPOINT_TLS_CLIENT_KEY_PWD
"token_endpoint_tls_client_key_pwd"
#define OIDC_METADATA_REQUEST_OBJECT
"request_object"
#define OIDC_METADATA_USERINFO_TOKEN_METHOD
"userinfo_token_method"
#define OIDC_METADATA_TOKEN_BINDING_POLICY
"token_binding_policy"
@@ -593,7 +594,7 @@
NULL, provider->registration_token,
provider->ssl_validate_server, response,
cfg->http_timeout_short, cfg->outgoing_proxy,
oidc_dir_cfg_pass_cookies(r),
- NULL, NULL) == FALSE) {
+ NULL, NULL, NULL) == FALSE) {
json_decref(data);
return FALSE;
}
@@ -621,7 +622,7 @@
if (oidc_util_http_get(r, jwks_uri->url, NULL, NULL,
NULL, jwks_uri->ssl_validate_server, &response,
cfg->http_timeout_long,
cfg->outgoing_proxy, oidc_dir_cfg_pass_cookies(r), NULL,
- NULL) == FALSE)
+ NULL, NULL) == FALSE)
return FALSE;
/* decode and see if it is not an error response somehow */
@@ -692,7 +693,7 @@
cfg->provider.ssl_validate_server, response,
cfg->http_timeout_short, cfg->outgoing_proxy,
oidc_dir_cfg_pass_cookies(r),
- NULL, NULL) == FALSE)
+ NULL, NULL, NULL) == FALSE)
return FALSE;
/* decode and see if it is not an error response somehow */
@@ -1325,6 +1326,10 @@
OIDC_METADATA_TOKEN_ENDPOINT_TLS_CLIENT_KEY,
&provider->token_endpoint_tls_client_key,
cfg->provider.token_endpoint_tls_client_key);
+ oidc_json_object_get_string(r->pool, j_conf,
+ OIDC_METADATA_TOKEN_ENDPOINT_TLS_CLIENT_KEY_PWD,
+ &provider->token_endpoint_tls_client_key_pwd,
+ cfg->provider.token_endpoint_tls_client_key_pwd);
oidc_json_object_get_string(r->pool, j_conf,
OIDC_METADATA_REQUEST_OBJECT,
&provider->request_object,
cfg->provider.request_object);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.8.1/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.7/src/mod_auth_openidc.c 2021-04-01
21:49:05.000000000 +0200
+++ new/mod_auth_openidc-2.4.8.1/src/mod_auth_openidc.c 2021-05-07
15:06:37.000000000 +0200
@@ -1533,7 +1533,13 @@
*provider = oidc_get_provider_for_issuer(r, c,
oidc_proto_state_get_issuer(*proto_state), FALSE);
- return (*provider != NULL);
+ if (*provider == NULL) {
+ oidc_proto_state_destroy(*proto_state);
+ *proto_state = NULL;
+ return FALSE;
+ }
+
+ return TRUE;
}
/*
@@ -1983,11 +1989,15 @@
apr_table_get(params, OIDC_PROTO_REFRESH_TOKEN),
apr_table_get(params, OIDC_PROTO_SESSION_STATE),
apr_table_get(params, OIDC_PROTO_STATE),
original_url,
- userinfo_jwt) == FALSE)
+ userinfo_jwt) == FALSE) {
+ oidc_proto_state_destroy(proto_state);
+ oidc_jwt_destroy(jwt);
return HTTP_INTERNAL_SERVER_ERROR;
+ }
} else {
oidc_error(r, "remote user could not be set");
+ oidc_jwt_destroy(jwt);
return oidc_authorization_response_error(r, c, proto_state,
"Remote user could not be set: contact the
website administrator",
NULL);
@@ -2617,7 +2627,7 @@
params, basic_auth, bearer_auth,
c->oauth.ssl_validate_server,
&response, c->http_timeout_long,
c->outgoing_proxy,
oidc_dir_cfg_pass_cookies(r), NULL,
- NULL) == FALSE) {
+ NULL, NULL) == FALSE) {
oidc_warn(r, "revoking refresh token failed");
}
apr_table_clear(params);
@@ -2632,7 +2642,7 @@
params, basic_auth, bearer_auth,
c->oauth.ssl_validate_server,
&response, c->http_timeout_long,
c->outgoing_proxy,
oidc_dir_cfg_pass_cookies(r), NULL,
- NULL) == FALSE) {
+ NULL, NULL) == FALSE) {
oidc_warn(r, "revoking access token failed");
}
}
@@ -3900,6 +3910,9 @@
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
+#define OIDC_OAUTH_BEARER_SCOPE_ERROR "OIDC_OAUTH_BEARER_SCOPE_ERROR"
+#define OIDC_OAUTH_BEARER_SCOPE_ERROR_VALUE "Bearer
error=\"insufficient_scope\", error_description=\"Different scope(s) or other
claims required\""
+
/*
* find out which action we need to take when encountering an unauthorized
request
*/
@@ -3907,46 +3920,42 @@
oidc_debug(r, "enter");
- oidc_cfg *c = ap_get_module_config(r->server->module_config,
- &auth_openidc_module);
+ oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
if (apr_strnatcasecmp((const char*) ap_auth_type(r),
- OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {
- oidc_oauth_return_www_authenticate(r, "insufficient_scope",
- "Different scope(s) or other claims required");
+
OIDC_AUTH_TYPE_OPENID_OAUTH20) == 0) {
+ oidc_debug(r, "setting environment variable %s to \"%s\" for
usage in mod_headers", OIDC_OAUTH_BEARER_SCOPE_ERROR,
OIDC_OAUTH_BEARER_SCOPE_ERROR_VALUE);
+ apr_table_set(r->subprocess_env, OIDC_OAUTH_BEARER_SCOPE_ERROR,
OIDC_OAUTH_BEARER_SCOPE_ERROR_VALUE);
return AUTHZ_DENIED;
}
/* see if we've configured OIDCUnAutzAction for this path */
switch (oidc_dir_cfg_unautz_action(r)) {
- // TODO: document that AuthzSendForbiddenOnFailure is required to
return 403 FORBIDDEN
- case OIDC_UNAUTZ_RETURN403:
- case OIDC_UNAUTZ_RETURN401:
- return AUTHZ_DENIED;
- break;
- case OIDC_UNAUTZ_AUTHENTICATE:
- /*
- * exception handling: if this looks like a XMLHttpRequest call
we
- * won't redirect the user and thus avoid creating a state
cookie
- * for a non-browser (= Javascript) call that will never return
from the OP
- */
- if (oidc_is_xml_http_request(r) == TRUE)
+ // TODO: document that AuthzSendForbiddenOnFailure is required
to return 403 FORBIDDEN
+ case OIDC_UNAUTZ_RETURN403:
+ case OIDC_UNAUTZ_RETURN401:
return AUTHZ_DENIED;
- break;
+ break;
+ case OIDC_UNAUTZ_AUTHENTICATE:
+ /*
+ * exception handling: if this looks like a
XMLHttpRequest call we
+ * won't redirect the user and thus avoid creating a
state cookie
+ * for a non-browser (= Javascript) call that will
never return from the OP
+ */
+ if (oidc_is_xml_http_request(r) == TRUE)
+ return AUTHZ_DENIED;
+ break;
}
oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r), NULL,
- NULL, NULL, oidc_dir_cfg_path_auth_request_params(r),
- oidc_dir_cfg_path_scope(r));
+ NULL, NULL, oidc_dir_cfg_path_auth_request_params(r),
oidc_dir_cfg_path_scope(r));
const char *location = oidc_util_hdr_out_location_get(r);
if (location != NULL) {
- oidc_debug(r, "send HTML refresh with authorization redirect:
%s",
- location);
+ oidc_debug(r, "send HTML refresh with authorization redirect:
%s", location);
- char *html_head = apr_psprintf(r->pool,
- "<meta http-equiv=\"refresh\" content=\"0;
url=%s\">",
- location);
+ char *html_head =
+ apr_psprintf(r->pool, "<meta
http-equiv=\"refresh\" content=\"0; url=%s\">", location);
oidc_util_html_send(r, "Stepup Authentication", html_head,
NULL, NULL,
HTTP_UNAUTHORIZED);
/*
@@ -3967,7 +3976,7 @@
const void *parsed_require_args,
oidc_authz_match_claim_fn_type match_claim_fn) {
- oidc_debug(r, "enter");
+ oidc_debug(r, "enter: require_args=\"%s\"", require_args);
/* check for anonymous access and PASS mode */
if (r->user != NULL && strlen(r->user) == 0) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/mod_auth_openidc.h
new/mod_auth_openidc-2.4.8.1/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.7/src/mod_auth_openidc.h 2021-04-03
20:06:43.000000000 +0200
+++ new/mod_auth_openidc-2.4.8.1/src/mod_auth_openidc.h 2021-05-07
15:06:37.000000000 +0200
@@ -266,6 +266,7 @@
char *client_id;
char *client_secret;
char *token_endpoint_tls_client_key;
+ char *token_endpoint_tls_client_key_pwd;
char *token_endpoint_tls_client_cert;
int backchannel_logout_supported;
@@ -316,6 +317,7 @@
char *client_secret;
char *metadata_url;
char *introspection_endpoint_tls_client_key;
+ char *introspection_endpoint_tls_client_key_pwd;
char *introspection_endpoint_tls_client_cert;
char *introspection_endpoint_url;
char *introspection_endpoint_method;
@@ -387,6 +389,8 @@
char *cache_redis_server;
char *cache_redis_password;
int cache_redis_database;
+ int cache_redis_connect_timeout;
+ int cache_redis_timeout;
#endif
int cache_encrypt;
@@ -743,9 +747,9 @@
apr_byte_t oidc_util_request_is_secure(request_rec *r);
void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char
*cookieValue, apr_time_t expires, const char *ext);
char *oidc_util_get_cookie(request_rec *r, const char *cookieName);
-apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const
apr_table_t *params, const char *basic_auth, const char *bearer_token, int
ssl_validate_server, char **response, int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert, const char *ssl_key);
-apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const
apr_table_t *params, const char *basic_auth, const char *bearer_token, int
ssl_validate_server, char **response, int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert, const char *ssl_key);
-apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url, json_t
*data, const char *basic_auth, const char *bearer_token, int
ssl_validate_server, char **response, int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert, const char *ssl_key);
+apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const
apr_table_t *params, const char *basic_auth, const char *bearer_token, int
ssl_validate_server, char **response, int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert, const char *ssl_key,
const char *ssl_key_pwd);
+apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const
apr_table_t *params, const char *basic_auth, const char *bearer_token, int
ssl_validate_server, char **response, int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert, const char *ssl_key,
const char *ssl_key_pwd);
+apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url, json_t
*data, const char *basic_auth, const char *bearer_token, int
ssl_validate_server, char **response, int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert, const char *ssl_key,
const char *ssl_key_pwd);
apr_byte_t oidc_util_request_matches_url(request_rec *r, const char *url);
apr_byte_t oidc_util_request_has_parameter(request_rec *r, const char* param);
apr_byte_t oidc_util_get_request_parameter(request_rec *r, char *name, char
**value);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/oauth.c
new/mod_auth_openidc-2.4.8.1/src/oauth.c
--- old/mod_auth_openidc-2.4.7/src/oauth.c 2021-03-31 13:30:04.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/src/oauth.c 2021-05-07 15:06:37.000000000
+0200
@@ -59,7 +59,7 @@
if (oidc_util_http_get(r, url, NULL, NULL, NULL,
cfg->oauth.ssl_validate_server, response,
cfg->http_timeout_short,
cfg->outgoing_proxy, oidc_dir_cfg_pass_cookies(r),
- NULL, NULL) == FALSE)
+ NULL, NULL, NULL) == FALSE)
return FALSE;
/* decode and see if it is not an error response somehow */
@@ -174,17 +174,23 @@
oidc_dir_cfg_pass_cookies(r),
oidc_util_get_full_path(r->pool,
c->oauth.introspection_endpoint_tls_client_cert),
-
oidc_util_get_full_path(r->pool,
-
c->oauth.introspection_endpoint_tls_client_key)) :
-
oidc_util_http_post_form(r, c->oauth.introspection_endpoint_url,
-
params, basic_auth, bearer_auth,
-
c->oauth.ssl_validate_server, response,
-
c->http_timeout_long, c->outgoing_proxy,
-
oidc_dir_cfg_pass_cookies(r),
-
oidc_util_get_full_path(r->pool,
-
c->oauth.introspection_endpoint_tls_client_cert),
-
oidc_util_get_full_path(r->pool,
-
c->oauth.introspection_endpoint_tls_client_key));
+
oidc_util_get_full_path(r->pool,
+
c->oauth.introspection_endpoint_tls_client_key),
+
oidc_util_get_full_path(r->pool,
+
c->oauth.introspection_endpoint_tls_client_key_pwd)
+ ) :
+ oidc_util_http_post_form(r,
c->oauth.introspection_endpoint_url,
+ params, basic_auth,
bearer_auth,
+
c->oauth.ssl_validate_server, response,
+ c->http_timeout_long,
c->outgoing_proxy,
+
oidc_dir_cfg_pass_cookies(r),
+
oidc_util_get_full_path(r->pool,
+
c->oauth.introspection_endpoint_tls_client_cert),
+
oidc_util_get_full_path(r->pool,
+
c->oauth.introspection_endpoint_tls_client_key),
+
oidc_util_get_full_path(r->pool,
+
c->oauth.introspection_endpoint_tls_client_key_pwd)
+ );
}
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/proto.c
new/mod_auth_openidc-2.4.8.1/src/proto.c
--- old/mod_auth_openidc-2.4.7/src/proto.c 2021-04-01 21:49:05.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/src/proto.c 2021-05-07 15:06:37.000000000
+0200
@@ -1996,8 +1996,10 @@
oidc_dir_cfg_pass_cookies(r),
oidc_util_get_full_path(r->pool,
provider->token_endpoint_tls_client_cert),
- oidc_util_get_full_path(r->pool,
-
provider->token_endpoint_tls_client_key)) == FALSE) {
+ oidc_util_get_full_path(r->pool,
+
provider->token_endpoint_tls_client_key),
+ provider->token_endpoint_tls_client_key_pwd
+ ) == FALSE) {
oidc_warn(r, "error when calling the token endpoint (%s)",
provider->token_endpoint_url);
return FALSE;
@@ -2237,7 +2239,7 @@
NULL, NULL,
access_token, cfg->provider.ssl_validate_server,
&s_json,
cfg->http_timeout_long,
cfg->outgoing_proxy,
oidc_dir_cfg_pass_cookies(r),
- NULL, NULL);
+ NULL, NULL, NULL);
}
}
if ((s_json != NULL) && (strcmp(s_json, "") != 0)) {
@@ -2302,7 +2304,7 @@
if (oidc_util_http_get(r, provider->userinfo_endpoint_url,
NULL, NULL, access_token,
provider->ssl_validate_server, response,
cfg->http_timeout_long, cfg->outgoing_proxy,
- oidc_dir_cfg_pass_cookies(r), NULL, NULL) ==
FALSE)
+ oidc_dir_cfg_pass_cookies(r), NULL, NULL, NULL)
== FALSE)
return FALSE;
} else if (provider->userinfo_token_method
== OIDC_USER_INFO_TOKEN_METHOD_POST) {
@@ -2311,7 +2313,7 @@
if (oidc_util_http_post_form(r,
provider->userinfo_endpoint_url, params,
NULL, NULL, provider->ssl_validate_server,
response,
cfg->http_timeout_long, cfg->outgoing_proxy,
- oidc_dir_cfg_pass_cookies(r), NULL, NULL) ==
FALSE)
+ oidc_dir_cfg_pass_cookies(r), NULL, NULL, NULL)
== FALSE)
return FALSE;
} else {
oidc_error(r, "unsupported userinfo token presentation method:
%d",
@@ -2376,7 +2378,7 @@
if (oidc_util_http_get(r, url, params, NULL, NULL,
cfg->provider.ssl_validate_server, &response,
cfg->http_timeout_short, cfg->outgoing_proxy,
- oidc_dir_cfg_pass_cookies(r), NULL, NULL) == FALSE) {
+ oidc_dir_cfg_pass_cookies(r), NULL, NULL, NULL) ==
FALSE) {
/* errors will have been logged by now */
return FALSE;
}
@@ -2892,8 +2894,10 @@
if ((must_validate_code == TRUE)
&& (oidc_proto_validate_code(r, provider, *jwt,
response_type, code)
- == FALSE))
+ == FALSE)) {
+ oidc_jwt_destroy(*jwt);
return FALSE;
+ }
return TRUE;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.7/src/util.c
new/mod_auth_openidc-2.4.8.1/src/util.c
--- old/mod_auth_openidc-2.4.7/src/util.c 2021-04-01 21:48:31.000000000
+0200
+++ new/mod_auth_openidc-2.4.8.1/src/util.c 2021-05-07 15:06:37.000000000
+0200
@@ -668,7 +668,7 @@
const char *bearer_token, int ssl_validate_server, char
**response,
int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert,
- const char *ssl_key) {
+ const char *ssl_key, const char *ssl_key_pwd) {
char curlError[CURL_ERROR_SIZE];
oidc_curl_buffer curlBuffer;
CURL *curl;
@@ -679,10 +679,10 @@
/* do some logging about the inputs */
oidc_debug(r,
- "url=%s, data=%s, content_type=%s, basic_auth=%s,
bearer_token=%s, ssl_validate_server=%d, timeout=%d, outgoing_proxy=%s,
pass_cookies=%pp, ssl_cert=%s, ssl_key=%s",
+ "url=%s, data=%s, content_type=%s, basic_auth=%s,
bearer_token=%s, ssl_validate_server=%d, timeout=%d, outgoing_proxy=%s,
pass_cookies=%pp, ssl_cert=%s, ssl_key=%s, ssl_key_pwd=%s",
url, data, content_type, basic_auth ? "****" : "null",
bearer_token,
ssl_validate_server, timeout,
outgoing_proxy, pass_cookies,
- ssl_cert, ssl_key);
+ ssl_cert, ssl_key, ssl_key_pwd ? "****"
: "(null)");
curl = curl_easy_init();
if (curl == NULL) {
@@ -815,6 +815,8 @@
curl_easy_setopt(curl, CURLOPT_SSLCERT, ssl_cert);
if (ssl_key != NULL)
curl_easy_setopt(curl, CURLOPT_SSLKEY, ssl_key);
+ if (ssl_key_pwd != NULL)
+ curl_easy_setopt(curl, CURLOPT_KEYPASSWD, ssl_key_pwd);
if (data != NULL) {
/* set POST data */
@@ -898,11 +900,11 @@
const char *bearer_token, int ssl_validate_server, char
**response,
int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert,
- const char *ssl_key) {
+ const char *ssl_key, const char *ssl_key_pwd) {
char *query_url = oidc_util_http_query_encoded_url(r, url, params);
return oidc_util_http_call(r, query_url, NULL, NULL, basic_auth,
bearer_token, ssl_validate_server, response, timeout,
- outgoing_proxy, pass_cookies, ssl_cert, ssl_key);
+ outgoing_proxy, pass_cookies, ssl_cert, ssl_key,
ssl_key_pwd);
}
/*
@@ -913,12 +915,12 @@
const char *bearer_token, int ssl_validate_server, char
**response,
int timeout, const char *outgoing_proxy,
apr_array_header_t *pass_cookies, const char *ssl_cert,
- const char *ssl_key) {
+ const char *ssl_key, const char *ssl_key_pwd) {
char *data = oidc_util_http_form_encoded_data(r, params);
return oidc_util_http_call(r, url, data,
OIDC_CONTENT_TYPE_FORM_ENCODED, basic_auth,
bearer_token,
ssl_validate_server, response, timeout, outgoing_proxy,
- pass_cookies, ssl_cert, ssl_key);
+ pass_cookies, ssl_cert, ssl_key, ssl_key_pwd);
}
/*
@@ -928,13 +930,13 @@
json_t *json, const char *basic_auth, const char *bearer_token,
int ssl_validate_server, char **response, int timeout,
const char *outgoing_proxy, apr_array_header_t *pass_cookies,
- const char *ssl_cert, const char *ssl_key) {
+ const char *ssl_cert, const char *ssl_key, const char
*ssl_key_pwd) {
char *data =
json != NULL ?
oidc_util_encode_json_object(r, json,
JSON_COMPACT) : NULL;
return oidc_util_http_call(r, url, data, OIDC_CONTENT_TYPE_JSON,
basic_auth,
bearer_token, ssl_validate_server, response, timeout,
- outgoing_proxy, pass_cookies, ssl_cert, ssl_key);
+ outgoing_proxy, pass_cookies, ssl_cert, ssl_key,
ssl_key_pwd);
}
/*
@@ -1628,10 +1630,9 @@
const char *content_type = NULL;
content_type = oidc_util_hdr_in_content_type_get(r);
- if ((r->method_number != M_POST) || (strstr(content_type,
+ if ((r->method_number != M_POST) || (content_type == NULL) ||
(strstr(content_type,
OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) {
- oidc_debug(r, "required content-type %s not found",
- OIDC_CONTENT_TYPE_FORM_ENCODED);
+ oidc_debug(r, "required content-type %s not found",
OIDC_CONTENT_TYPE_FORM_ENCODED);
goto end;
}
